Overall Objectives
Application Domains
New Results
Contracts and Grants with Industry
Other Grants and Activities
Inria / Raweb 2003
Project: VASY

Project : vasy

Section: New Results

Models and Verification Techniques


Participants : David Champelovier, Hubert Garavel, Frédéric Lang, Frédéric Tronel.

Designed to speed up the compositional verification of asynchronous systems (see §  6.3.2), Bcg_Graph is a tool for generating the Bcg graphs corresponding to Fifo communication buffers efficiently.

In 2003, we extended Bcg_Graph so as to generate two other kinds of graphs:

Bcg_Graph ( 2 , 7 0 0 lines of C code) allows to generate large Bcg graphs (hundreds of thousands of states) within a few minutes. The generated graphs are always minimal modulo strong bisimulation.


Participant : Radu Mateescu.

Cæsar_Solve is a generic software library for solving boolean equation systems of alternation depth 1 (i.e., without mutual recursion between minimal and maximal fixed point equations) on the fly. This library is at the core of several Cadp verification tools, namely the equivalence checker Bisimulator (see §  6.1.3), the model checker Evaluator 4.0 (see §  6.1.4), and the τ -confluence reduction tool (see §  6.1.6). The resolution method is based on boolean graphs, which provide an intuitive representation of dependencies between boolean variables; boolean graphs are handled implicitly in a way similar to the Open/Cæsar interface.

The Cæsar_Solve library provides four different resolution algorithms: A1 and A2 are general algorithms based upon depth-first, respectively breadth-first, traversals of boolean graphs; A3 and A4 are optimized for the case of acyclic, respectively disjunctive/conjunctive, boolean graphs; they are based upon memory-efficient depth-first traversals of boolean graphs. All these algorithms can generate diagnostics explaining why a result is true or false (examples and counterexamples).

In 2003, the Cæsar_Solve library ( 7 , 2 5 0 lines of C code) was extended and improved as follows:

The Cæsar_Solve library was subject to an invited publication [23].


Participants : Nicolas Descoubes, Radu Mateescu.

Bisimulator is an equivalence checker, which takes as input two graphs to be compared (one represented implicitly using the Open/Cæsar environment, the other represented explicitly as a Bcg file) and determines whether they are equivalent (modulo a given equivalence relation) or whether one of them is included in the other (modulo a given preorder relation).

Bisimulator works on the fly, meaning that only those parts of the implicit graph pertinent to verification are explored. Thanks to the use of Open/Cæsar, Bisimulator can be applied directly to descriptions written in high level languages (for instance, Lotos). This is a significant improvement compared to older tools (such as Aldébaran and Fc2Implicit) which only accept lower level models (product of communicating automata).

Bisimulator works by reformulating the graph comparison problem in terms of a boolean equation system, which is solved using the Cæsar_Solve library (see §  6.1.2). A useful functionality of Bisimulator is the generation of diagnostics (counterexamples), which explain why two graphs are not equivalent (or not included one in the other). The counterexamples generated by Bisimulator are directed acyclic graphs and usually much smaller than those generated by other tools (such as Aldébaran) that can only generate counterexamples restricted to sets of traces.

In 2003, we continued the development of the Bisimulator tool ( 1 0 , 0 0 0 lines of C code):

The EVALUATOR 4.0 Tool

Participant : Radu Mateescu.

Evaluator 4.0 is an on the fly model checker for temporal properties containing data. These properties are evaluated on a graph represented implicitly using the Open/Cæsar environment. The input language of Evaluator 4.0 is the regular alternation-free μ -calculus extended with typed variables. It offers primitives for handling states and transitions in logic formulas, thus allowing to express non-standard properties (such as for instance the fact that a state has a looping transition on itself, or that a finite sequence of transitions has the same number of occurrences of two actions A and B ).

In 2003, we continued the development of Evaluator 4.0. Our work focused on improving the translation of the verification problem into a boolean equation system. We devised two property-preserving reductions, which are performed on the fly on the Open/Cæsar graph:

These reductions significantly increase the speed of Evaluator 4.0 (by a factor up to 5 for graphs containing many τ -transitions).

The AAL Tool

Participants : Alban Catry, David Champelovier, Hubert Garavel, Radu Mateescu.

In the framework of the ArchWare project (see §  7.1), we focused on the analysis of software architectures:

Partial Order Reduction Tools

Participants : Frédéric Lang, Radu Mateescu.

A way to fight state explosion is partial order reduction, which tries to avoid the exploration of redundant interleavings caused by independent, concurrent transitions. A form of partial order reduction that preserves branching equivalence is the so-called τ -confluence [44]. It consists in identifying, for each state s , the set C ( s ) of confluent τ -transitions going out of s , meaning that after their execution any other transition going out of s can still be executed. The reduction consists in eliminating all transitions going out of s except those in C ( s ) .

In 2003, we developed a τ -confluence reduction tool (800 lines of C code) for graphs represented implicitly using the Open/Cæsar environment. This tool encodes the definition of τ -confluence as a boolean equation system, which is solved on the fly using the general algorithms A1 and A2 provided by the Cæsar_Solve library (see §  6.1.2). Experiments on various communication protocols indicate that τ -confluence significantly reduces the number of states (up to 6 times) and transitions (up to 10 times).

The work on τ -confluence led to a publication [24].

The EXP.OPEN 2.0 Tool

Participant : Frédéric Lang.

Exp.Open 2.0 is a compositional verification tool that explores on the fly the graph corresponding to a network of communicating automata (represented as a set of Bcg files). These automata are composed together in parallel using either algebraic operators (as in Ccs, Csp, Lotos, and μCrl), or ``graphical'' operators (as in E-Lotos and Lotos NT [10]), or synchronization vectors (as in the Mec and Fc2 tools). Additional operators are available to hide and/or rename labels (using regular expressions) and to cut certain transitions.

Version 2.0 of Exp.Open was developed in 2002 to overcome the limitations of the previous version 1.0. In 2003, we worked along the following lines:

The Exp.Open 2.0 tool consists of 1 , 7 0 0 lines of Syntax code, 6 , 4 0 0 lines of Lotos NT code, and 1 , 6 0 0 lines of C code. An article about Exp.Open 2.0 was submitted to an international conference.

Parallel and Distributed Verification Tools

Participants : Nicolas Descoubes, Hubert Garavel, Christophe Joubert, Radu Mateescu.

Enumerative verification algorithms need to explore and store very large graphs and, thus, are often limited by the capabilities of current sequential machines. To push forward the limits, we are studying parallel and distributed algorithms adapted to the clusters of Pcs and networks of workstations available in most research laboratories.

Our initial efforts focused on parallelizing the graph construction algorithm [7], which is a bottleneck for verification as it requires a considerable memory space to store all reachable states. In this respect, we developed the following software:

In 2003, we improved the distributed model checking tools as follows:

An article on distributed model checking was published [21].

Other Tool Developments

Participants : Damien Bergamini, Aurore Collomb, Nicolas Descoubes, Hubert Garavel, Christophe Joubert, Frédéric Lang, Frédéric Tronel.

We also improved the following Cadp tools and libraries:

We also contributed to other tools outside the Vasy team: